source: TI12-security/trunk/MyProxyWebService/myproxy/ws/client/myproxy-ws-logon.sh @ 7780

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/MyProxyWebService/myproxy/ws/client/myproxy-ws-logon.sh
Revision 7780, 3.6 KB checked in by pjkersha, 10 years ago (diff)

Complete - task 20: Check for MyProxy? Logon bash script bug

  • added ability to get trust roots script to set CA dir explicitly.
  • Property keywords set to Id
  • Property svn:executable set to *
Line 
1#!/bin/bash
2#
3# Client script for web service interface to MyProxy logon based on openssl and
4# curl
5#
6# @author P J Kershaw 25/05/2010
7#
8# @copyright: (C) 2010 STFC
9#
10# @license: BSD - See top-level LICENCE file for licence details
11#
12# $Id$
13cmdname=$(basename $0)
14cmdline_opt=`getopt -o hU:l:So:c: --long help,uri:,username:,stdin_pass,out:ca-directory: -n "$cmdname" -- "$@"`
15
16usage="Usage: $cmdname [-U MyProxy Web Service URI][-l username] ...\n
17\n
18   Options\n
19       -h | --help\t\t\t\tDisplays usage\n
20       -U | --uri\t\t<uri>\t\tMyProxy web service URI\n
21       -l | --username\t<username>\tUsername for the delegated proxy (defaults to \$LOGNAME)\n
22       -S | --stdin_pass\t\t\tpass password from stdin rather prompt from tty\n
23       -o | --out\t\t<filepath>\tLocation of delegated proxy (default to stdout)\n
24       -c | --ca-directory <directory path>\tDirectory containing the trusted\n
25       \t\t\t\t\tCA (Certificate Authority) certificates.  These are used to\n
26       \t\t\t\t\tverify the identity of the MyProxy Web Service.  Defaults to\n
27       \t\t\t\t\t${HOME}/.globus/certificates or\n
28       \t\t\t\t\t/etc/grid-security/certificates if running as root.\n
29"
30
31if [ $? != 0 ] ; then
32    echo -e $usage >&2 ;
33    exit 1 ;
34fi
35
36eval set -- "$cmdline_opt"
37
38while true ; do
39    case "$1" in
40        -h|--help) echo -e $usage ; exit 0 ;;
41        -U|--uri) uri=$2 ; shift 2 ;;
42        -l|--username) username=$2 ; shift 2 ;;
43        -S|--stdin_pass) stdin_pass=True ; shift 1 ;;
44        -o|--out) outfilepath=$2 ; shift 2 ;;
45        --) shift ; break ;;
46        *) echo "Error parsing command line" ; exit 1 ;;
47    esac
48done
49
50if [ -z $uri ]; then
51    echo -e Give the URI for the MyProxy web service logon request;
52    echo -e $usage >&2 ;
53    exit 1;
54fi
55
56# Default to LOGNAME if not set on command line
57if [ -z $username ]; then
58    username=${LOGNAME}
59fi
60
61# Read password
62if [ $stdin_pass ]; then
63    read password;
64else
65    stty -echo
66    read -p "Enter MyProxy pass phrase: " password; echo
67    stty echo
68fi
69
70# Set-up trust root
71if [ ${X509_CERT_DIR} ]; then
72    cadir=${X509_CERT_DIR}
73elif [ "$username" = "root" ]; then
74    cadir=/etc/grid-security/certificates
75else
76    cadir=${HOME}/.globus/certificates
77fi
78
79# Set output file path
80if [ -z $outfilepath ]; then
81    if [ ${X509_USER_PROXY} ]; then
82        outfilepath=${X509_USER_PROXY}
83    else
84        # Default to stdout
85        outfilepath=/dev/stdout
86    fi
87fi
88
89# Make a temporary file location for the certificate request
90certreqfilepath="/tmp/$UID-$RANDOM.csr"
91
92# Generate key pair and request.  The key file is written to the 'key' var
93key=$(openssl req -new -newkey rsa:2048 -nodes -keyout /dev/stdout -subj /CN=dummy -out $certreqfilepath 2> /dev/null)
94
95# Post request to MyProxy web service passing username/password for HTTP Basic
96# auth based authentication. 
97#
98# Nb. Earlier versions of curl don't support --data-urlencode so use this
99# workaround instead...
100
101# Alterations to change Base 64 encoding to URL safe Base 64
102encoded_certreq=$(cat $certreqfilepath|sed s/+/%2B/g)
103
104response=$(curl $uri --sslv3 -u $username:$password --data "certificate_request=$encoded_certreq" --capath $cadir -w " %{http_code}" -s -S)
105
106responsemsg=$(echo "$response"|sed '$s/ *\([^ ]* *\)$//')
107responsecode=$(echo $response|awk '{print $NF}')
108if [ "$responsecode" != "200" ]; then
109    echo "$responsemsg" >&2
110    exit 1
111fi
112
113# Simple sanity check on response
114if [[ $responsemsg != -----BEGIN\ CERTIFICATE-----* ]]; then
115    echo "Expecting certificate in response; got:"
116    echo "$responsemsg" >&2
117    exit 1
118fi
119
120# Output certificate
121echo "$responsemsg" > $outfilepath
122
123# Add key
124echo "$key" >> $outfilepath
Note: See TracBrowser for help on using the repository browser.